Package: dcap
Version: 2.47.10-3
Severity: important
User: pkg-openssl-de...@lists.alioth.debian.org
Usertags: TLS1.0_1.1_removal
Your packages uses a function which requests a TLS1.0 and/or TLS1.1 only
connection. Since openssl 1.1.0f-4 (currently in unstable) this means
won't work because it provides TLS1.2. See also [0].
Please switch to
SSLv23_method() | SSLv23_server_method() | SSLv23_client_method()
or the recommended openssl 1.1+ functions:
TLS_method() | TLS_server_method() | TLS_client_method()
as per man-page [1].
The code I identified and probably needs to be replaced:
dcap-2.47.10/plugins/ssl/sslTunnel.c:
| int eInit(int fd)
| {
|…
| ssl_ctx = SSL_CTX_new(TLSv1_client_method());
| ssl_con = (SSL *) SSL_new(ssl_ctx);
|
An example for replacing a TLSv1 only connection with any possible
version would look like this:
- ctx = SSL_CTX_new(TLSv1_client_method());
+ ctx = SSL_CTX_new(SSLv23_client_method());
If you want to use the openssl 1.1 function you need extra version
checks:
- ctx = SSL_CTX_new(TLSv1_client_method());
+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && \
+ !defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_IS_BORINGSSL)
+ ctx = SSL_CTX_new (TLS_client_method ());
+#else
+ ctx = SSL_CTX_new (SSLv23_client_method ());
+#endif
Note that that openssl is usually configured (at build time) to not
allow SSLv2 and SSLv3 connections. However if upstream wants to be sure
to have it disable you can add this:
+#ifdef OPENSSL_NO_SSL3
+ SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3);
+#endif
+
+#ifdef OPENSSL_NO_SSL2
+ SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
+#endif
to make sure it is not used for a connection even if the currently
install libssl library is supporting it.
[0]
https://lists.debian.org/msgid-search/20170807014238.mf64rdvgpdkpa...@roeckx.be
[1] https://manpages.debian.org/stretch/libssl-doc/SSLv23_method.3ssl.en.html
Sebastian
